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Abstract 

We explore asynchronous unison in the presence of systemic transient and permanent Byzan- 
tine faults in shared memory. We observe that the problem is not solvable under less than 
strongly fair scheduler or for system topologies with maximum node degree greater than two. 
We present a self-stabilizing Byzantine-tolerant solution to asynchronous unison for chain and 
ring topologies. Our algorithm has minimum possible containment radius and optimal stabi- 
lization time. 

1 Introduction 

Asynchronous unison ]22§ requires processors to maintain synchronization between their counters 
called clocks. Specifically, each processor has to increment its clock indefinitely while the clock 
drift from its neighbors should not exceed 1, Asynchronous unison is a fundamental building 
block for a number of principal tasks in distributed systems such as distributed snapshots and 
synchronization J2 G^. 

A practical large-scale distributed system must counter a variety of transient and permanent 
faults. A systemic transient fault may perturb the configuration of the system and leave it in 
the arbitrary configuration. Self-stabilization J 101 \2$$ is a versatile technique for transient 
fault forward recovery. Byzantine fault /_/<§]/ is the most generic permanent fault model: a faulty 
processor may behave arbitrarily. However, designing distributed systems that handle both tran- 
sient and permanent faults proved to be rather difficult J3 fi^j. \2$$. Some of the difficulty is 
due to the inability of the system to counter Byzantine behavior by relying on the information 
encoded in the global system configuration: a transient fault may place the system in an arbitrary 
configuration. 

In this context considering joint Byzantine and systemic transient fault tolerance for asyn- 
chronous unison appears futile. Indeed, the Byzantine processor may keep setting its clock to an 
arbitrary value while the clocks of the correct processors are completely out of synchrony. Hence, 
we are happy to report that the problem is solvable. In this paper we present a shared-memory 
Byzantine-tolerant self-stabilizing asynchronous unison algorithm that operates chain and ring 
system topologies. The algorithm operates under a strongly fair scheduler. We show that the 
problem is unsolvable for any other topology or for less stringent scheduler. Our algorithm 
achieves minimal fault- containment radius: each correct processor eventually synchronizes with 
its correct neighbors. We prove our algorithm correct and demonstrate that its stabilization time 
is asymptotically optimal. 
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Related work. The impetus of this work is the study by Dubois et al \T^j. They consider 
joint tolerance to crash faults and systemic transient faults. The key observation that enables 
this avenue of research is that the definition of asynchronous unison does not preclude the cor- 
rect processors from decrementing their clocks. This allows the processors to synchronize and 
maintain unison even while their neighbors may crash or behave arbitrarily. 

There are several pure self-stabilizing solutions to the unison problem Q 0, [75]/ , None of 
those tolerate Byzantine faults. 

Classic Byzantine fault tolerance focuses on masking the fault. There are self-stabilizing 
Byzantine-tolerant clock synchronization algorithms for completely connected synchronous sys- 
tems both probabilistic J3 \Wj and deterministic [T7|/ . The probabilistic and deterministic 
solutions tolerate up to one-third and one-fourth of faulty processors respectively. 

Another approach to joint transient and Byzantine tolerance is containment. For tasks 
whose correctness can be checked locally, such as vertex coloring, link coloring or dining philoso- 
phers, the fault may be isolated within a region of the system. Strict-stabilization guarantees 
that there exists a containment radius outside of which the processors are not affected by the 
fault 120, 23, 241 ■ Yet some problems are not local and do not admit strict stabilization. How- 
ever, the tolerance requirements may weakened to strong-stabilization J19{ [21^ which allows the 
processors arbitrarily far from the faulty processor to be affected. The faulty processor can affect 
the correct processors only a finite number of times. Strong-stabilization enables solution to 
several problems, such as tree orientation and tree construction. 

2 Model, Definitions and Notation 

Program syntax and semantics. A distributed system consists ofn processors that form 
a communication graph. The processors are nodes in this graph. The edges of this graph are 
pairs of processors that can communicate with each other. Such pairs are neighbors. A distance 
between two processors is the length of the shortest path between them in this communication 
graph. Each processor contains variables and rules. A variable ranges over a fixed domain of 
values. A rule is of the form (label) : (guard) — > (command) . A guard is a boolean predicate 
over processor variables. A command is a sequence of assignment statements. Processor p may 
mention its variables anywhere in its guards and commands. That is, p can read and update 
its variables. However, p may not mention the variables of its neighbors on the left-hand- sides 
of the assignment statements of its commands. That is, p may only read the variables of its 
neighbors. 

A processor is either correct or faulty. In this paper we consider crash faults and Byzantine 
faults. A crashed processor stop the execution of its rules for the remainder of the run. A 
processor affected by Byzantine fault disregards its program and it may write arbitrary values to 
variables. Note that, in a given state, a Byzantine processor exhibits the same state to all its 
neighbors. When the fault type is not explicitly mentioned, the fault is Byzantine. 

An assignment of values to all variables of the system is configuration. A rule whose guard is 
true in some system configuration is enabled in this configuration, the rule is disabled otherwise. 
An atomic execution of a subset of enabled rules transitions the system from one configuration 
to another. This transition is a step. Note that a faulty processor is assumed to always have 
an enabled rule and its step consists of writing arbitrary values to its variables. A run of a 
distributed system is a maximal sequence of such transitions. By maximality we mean that the 
sequence is either infinite or ends in a state where none of the rules are enabled. 

Schedulers. A scheduler (also called daemon,) is a restriction on the runs to be considered. 
The schedulers differ by execution semantics and by fairness. The scheduler is synchronous if in 
every run each step contains the execution of every enabled rule. The scheduler is asynchronous 
otherwise. There are several types of asynchronous schedulers. In the runs of distributed (also 
called powerset ) scheduler, a step may contain the execution of an arbitrary subset of enabled 
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rules. This is the lest restrictive scheduler. In the runs of a central scheduler, every step contains 
the execution of exactly one enabled rule. In the runs of locally central scheduler, the step may 
contain the execution of multiple enabled rules as long as none of the rules belong to neighbor 
processors. Central and locally central schedulers are equivalent. That is, they define the same 
set of runs. In this paper we consider these two types of schedulers. 

With respect to fairness, the schedulers are classified as follows. The most restrictive is a 
strongly fair scheduler. In every run of this scheduler, a rule is executed infinitely often if it is 
enabled in infinitely many configurations of the run. Note that the strongly fair scheduler requires 
that the rule is executed even if it continuously keeps being enabled and disabled throughout the 
run. A less restrictive is weakly fair scheduler. In every run of this scheduler, a rule is executed 
infinitely often if it is enabled in all but finitely many configurations of the run. That is, the 
rule has to be executed only if it is continuously enabled. An unfair scheduler places no fairness 
restrictions on the runs of the distributed system. Faulty processors are not subject to scheduling 
restrictions of any of the schedulers: a faulty processor may take no steps during a run or it 
may take an infinitely many steps. 

Predicates and specifications. A predicate is a boolean function over program configura- 
tions. A configuration conforms to some predicate R, if R evaluates to true in this configuration. 
The configuration violates the predicate otherwise. Predicate R is closed in a certain program 
V , if every configuration of a run of V conforms to R provided that the program starts from a 
configuration conforming to R. Note that if a program configuration conforms to R and, after 
the execution of any step ofV, the resultant configuration also conforms to R, then R is closed 
in V . 

A processor specification for a processor p defines a set of configuration sequences. These 
sequences are formed by variables of some subset of processors in the system. This subset al- 
ways includes p itself. A problem specification, or just problem, defines specifications for each 
processor of the system. A problem specification in the presence of faults defines specifications 
for correct processors only. Program V solves problem S under a certain scheduler if every run 
of V satisfies the specifications defined by S. A closed predicate I is an invariant of program V 
with respect to problem S if every run of V that starts in a state conforming to I satisfies S. 
An f -fault d-distance invariant Ifd is a particular invariant ofV such that if the system has no 
more than f processors then in every run that starts in a configuration conforming to Ifd, each 
processor in the distance of at least d away from the fault satisfies the problem S. That is, only 
correct processors at distance d or higher have to satisfy the specification. 

A program V is self-stabilizing to specification S if every run of V that starts in an arbitrary 
configuration contains a configuration conforming to an invariant ofV. A program V is strictly- 
stabilizing for f faults and distance d, denoted (/, d) -strictly-stabilizing, to problem S if V 
converges to an f -fault d-distance invariant Ifd- 

Unison specification. Consider the system of processors each of which has a natural num- 
ber variable c called clock. The clock drift between two processors is the difference between their 
clock values. Two neighbor processor are in unison if their drift is no more than one. 

Asynchronous unison specifies that, for every processor p, every program run has to comply 
with the following two properties. 

Safety: in every configuration, processor p is in unison with its neighbors; 

Liveness: the clock of processor p is incremented infinitely often. 

A program that solves the asynchronous unison problem is minimal if the only variable that 
each processor has it its clock. 
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processor p 

constants l,r: left and right neighbors of p 

dg p : degree of p 
variable c p : natural number, clock value of p 

rules 

end processor rules 

leftEndUp: (dg p = 1) A (c p < c r ) — ► c p := c r + 1 
leftEndDown: (dg p = 1) A (c p > c r ) — ► c p := c r — 1 
rightEndUp and rightEndDown are similar 

middle processor operation rules 

middleLeftUp: (dg p = 2) A (c p = q V c p = c\ — 1) A (c p < c r ) 
middleLeftDow{dg p = 2) A (c p = c\ V c p = q + 1) A (c p > c r ) 
middleRightUp and middleRightDown are similar 

middle processor synchronization rules 
syncUp: (dg p = 2) A (c p < q — 1) A (c p < c r — 1) — ► c p := mm{q, c r } 

syncDown: (dg p = 2) A (c p > q + 1) A (c p > c r + 1) — ► c p := max{q, c r } 



c p + 1 



Figure 1: SSU: (1, 0)-strict-stabilizing asynchronous unison algorithm for chains and rings. 

3 Impossibility Results and Model Justification 

Dubois et al \1$ established a number of impossibility results for asynchronous unison and crash 
faults. These results are immediately applicable to Byzantine faults as a Byzantine process may 
emulate the crash fault by never executing a step. We summarize their results in the below 
theorem. 

Theorem 1 Q14J) There does not exist a minimal (f \d) -strictly-stabilizing solution to the 
asynchronous unison problem in shared memory for any distance d > if the communication 
graph of the distributed system contains processors of degree greater than two or if the number 
of faults is greater than one or if the scheduler is either unfair or weakly fair. 

The intuition behind the impossibility results is as follows. If the system contains a processor 
p with at least three neighbors, the neighbors can cycle through their states such that all three 
are always in unison with p yet p cannot update its clock without breaking unison with at least 
one neighbor. If the system allows two faults, then the faulty processors may contain such clock 
values so far apart that if the correct processors stay in unison with the faulty ones then they 
are not able to synchronize with each other. If the execution scheduler is either unfair or weakly 
fair then, one correct processors may cycle through its unison states such that its neighbor is 
never given an opportunity to update its clock. 

The results of Theorem [7] leave the following execution model that is still open for solutions: 
system topology with maximum degree at most two (i.e. a chain or a ring), at most one fault, 
and a strongly fair scheduler. We pursue solutions for this particular model in the remainder of 
the paper. 
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4 SSU: A Strict-Stabilizing Unison for Chains and Rings 



In this section we present the (1,0) -strictly- stabilizing minimal priority algorithm unison algo- 
rithm, prove its correctness and evaluate its stabilization performance. 

4.1 Algorithm Description 

The algorithm can operate on either chain or ring system topologies. For the description of the 
algorithm, let us introduce some topological terminology. A middle processor has two neighbors. 
An end processor has only one. In a ring every processor is a middle processor. A chain has 
two end processors. We consider the system of processors to be laid out horizontally left to right. 
We, therefore, speak of left and right neighbor for a processor and left and right ends of a chain. 

Recall that drift between two processors p and q is the difference between their clock values. 
Two processors p and q are in unison if the drift between them is no more than 1. An island 
is a segment of correct processors such that for each processor p, if its neighbor q is also in this 
island, then p and q are in unison. A processor with no in-unison neighbors is assumed to be a 
single-processor island. Note that a faulty processor never belongs to an island. The width of 
an island is the number of processors in this island. 

The main idea of the algorithm is as follows. Processors form islands of processors with syn- 
chronized clocks. The algorithm is designed such that the clocks of the processors with adjacent 
islands drift closer to each other and the islands eventually merge. If a faulty processor restricts 
the drift of one such island, for example by never changing its clock, the other islands still drift 
and synchronize with the affected island. 

Operation description. A detailed description of SSU is shown in Figured Specifically, 
SSU operates as follows. Each processor p maintains a single variable c p where it stores its 
current clock value. That is, our algorithm is minimal. 

We grouped the processor rules into end processor rules and middle processor rules. Middle 
processor rules are further grouped into: operation — executed when the processor is in unison 
with at least one of its neighbors, and synchronization — executed otherwise. 

At least one rule is always enabled at an end processor. Depending on the clock value of 
its neighbor, the left end processor either increments or decrements its own clock using rules 
leftEndUp and leftEndDown. The operation of the right end processor is similar. 

Let us describe the rules of a middle processor. If processor p is in unison with its left neigh- 
bor, p can adjust c p to match its right neighbor using rules middleLeftUp or middleLeftDown. 
The execution of neither rule breaks the unison of p and its left neighbor. Similar adjustment 
is done for the left neighbor using middleRightUp and middleRightDown. Note that if p is in 
unison with both of its neighbors and ci and c r differ by 2, none of these rules of p are enabled 
as any changes of c p break the unison with a neighbor of p. 

If p is in unison with neither of its neighbors, and the clocks of the two neighbors are either 
both greater or both less than the clock of p, the processor synchronizes its clock with one of the 
neighbors using rule syncDown or syncUp. 

Example operation. The operation of our algorithm is best understood with an example. 
Figured shows the operation of SSU on a chain without a permanent fault. Figure\M illustrates 
the operation of SSU on a chain with a faulty processor. Figures^ and[5] show the operation of 
SSU on rings respectively without and with a faulty processor. 

4.2 Correctness Proof 

Chains. For chains it is sufficient to consider the operation of the algorithm for the case 
where the faulty processor is at the end of the chain. Indeed, if the faulty processor is in the 
middle of the chain, the synchronization of the two segments of correct processors is independent 
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Figure 2: An example operation sequence of SSU on a chain with no faults. Numbers represent 
clock values. Squared processor has an enabled rule to be executed. 
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Figure 3: An example operation sequence of SSU on a chain with a faulty processor. Numbers are 
processor clock values. The faulty processor is in double circle. Squared processor has an enabled 
rule to be executed. 
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Figure 4: An example operation sequence oiSSIA on a ring with no faults. Numbers represent clock 
values. Squared processor has an enabled rule to be executed. 
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Figure 5: An example operation sequence of SSU on a chain with a faulty processor. Numbers are 
processor clock values. The faulty processor is in double circle. Squared processor has an enabled 
rule to be executed. 
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Figure 6: The transitions of in- unison neighbor processors I and p. An illustration for the proof of 
Lemma [2l 

of each other. Thus, without loss of generality, we assume that if there exists a faulty processor 
in the system, it is always the right end processor. 

Lemma 1 If a run of SSU on a chain starts from a configuration where two processors p 
and q belong to the same island, then the two processors belong to the same island in every 
configuration of this run. 

In other words, Lemma [7] states that an island is never broken. The validity of the lemma 
can be easily ascertained by the examination of the algorithm's rules as a processor never de- 
synchronizes from its in-unison neighbor. 

Lemma 2 In every run of SSU on a chain, each processor in the leftmost island takes an 
infinite number of steps. 

Proof. The proof is by induction on the width of the island. In every configuration, the left 
end processor has either leftEndUp or leftEndDown enabled. Due to the strongly fair scheduler, 
this processor takes an infinite number of steps in every run. 

Assume that the left neighbor I of processor p that belongs to the leftmost island takes an 
infinite number of steps in the run. According to Lemma [2 I and p are in unison in every 
configuration of this run. That is, I and p transition between the three sets of states: c\ = c p + l, 
ci = c p and ci = c p — 1. See Figured for illustration. Observe that, regardless of the clock 
value of the right neighbor of p, if Ci = c p then p has either middleLeftUp or middleLeftDown 
rule enabled. If p executes this rule, the system goes either in the state where c\ — c p + 1 or 
ci = Cp — 1. Since I executes infinitely many steps in the run then a configuration where q = c p 
repeats infinitely often. That is, one ofp's rules are enabled infinitely often in this run. Since 
the scheduler is strongly fair, p executes infinitely many steps. □ 

Lemma 3 If a run of SSU on a chain starts from a configuration where processor p belongs to 
the leftmost island while its right correct neighbor r does not, then this run contains a configu- 
ration where both p and r belong to the same island. 

In other words, Lemma\^ claims that every two adjacent islands eventually merge. 

Proof. We prove the lemma by demonstrating that the drift between p and r decreases to zero 
in every run of SSU. Let us consider the rules of r. The execution of any rule by r can only 
decrease the drift between the two processors. The execution of the rules by p always decreases 
the drift as well. According to Lemma^ p takes infinitely many steps in this run. This means 
that this run contains a configuration where the drift between p and r is zero. □ 
Define the following predicate: 

INV = each correct processor is in unison 
with its correct neighbors 



Theorem 2 Algorithm SSU on chains stabilizes to INV . 

Proof, f sketch,) If every correct processor is in unison with its neighbors, all correct processors 
belong to a single island. The closure of INV follows from Lemma d Note that Lemma 
guarantees that the two leftmost islands eventually merge. The convergence if SSU to INV can 
be proven by induction on the number of islands in the initial configuration. □ 

Theorem 3 Predicate INV is an (1,0) -invariant of SSU on chains with respect to the asyn- 
chronous unison problem. 

In other words, Theorem [3| states that every run of SSU starting from a configuration con- 
forming to INV satisfies the specification of asynchronous unison. 

Proof. The safety property of the asynchronous unison follows immediately from the closure 
of INV. Let us consider the liveness property. Once in unison the only operation that a proces- 
sor can execute on its clock is increment or decrement. According to Lemma 0, every correct 
processor of the system takes an infinite number of steps. Since the clock values are natural 
numbers, each processor is bound to execute an infinite number clock increments. Hence the 
liveness. □ 

Rings. Since there are no end processors on a ring, we only have to consider the middle 
processor rules. 

Lemma 4 If a run of SSU on a ring starts from a configuration where two processors p and q 
belong to the same island, then the two processors belong to the same island in every configuration 
of this run. 

The above lemma is proven similarly to Lemma\^ 

Lemma 5 In every run of SSU on a ring, there is an island where every processor takes an 
infinite number of steps. 

Proof. f sketch,) Observe that in every configuration of SSU on a ring, there is at least 
one correct processor whose clock holds the largest or the smallest value in the system. This 
processor has a rule enabled. Since we consider a strongly fair scheduler, there are infinitely 
many steps executed by correct processors in every run of SSU. Since there are finitely many 
correct processors, at least one correct processor takes infinitely many steps. Let us consider 
the island to which this processor belongs. The rest of the lemma is proven by induction on the 
width of this island similar to Lemma [H □ 

Lemma 6 If a run of SSU starts from a configuration where there is more than one island, 
then this run contains a configuration where some two islands merge. 

Proof. ( sketch,) Let us consider the initial configuration of SSU on a ring with more than 
one island. According to Lemma\^ there is at least one island in this configuration where every 
processor takes an infinite number of steps. Assume, without loss of generality, that this island 
has an adjacent island to the right. An argument similar to the one employed in the proof of 
Lemma\M demonstrates that these islands eventually merge. □ 
The below two theorems are proven similarly to their equivalents for the chain topology. 

Theorem 4 Algorithm SSU on rings stabilizes to INV . 

Theorem 5 Predicate INV is an (1,0) -invariant of SSU on rings with respect to the asyn- 
chronous unison problem. 



4.3 Stabilization Time 



In this section, we compute the stabilization time of SSU . We estimate the stabilization time 
in the number of asynchronous rounds. In general, this notion is somewhat tricky to define for 
strongly fair scheduler, at the actions of processors may become disabled and then enabled an 
arbitrary many times before execution. However, this definition simplifies for the case of SSU 
as every correct processor takes an infinite number of steps. We define an asynchronous round 
to be the smallest segment of a run of the algorithm where every correct process executes a step. 

Upper bound of SSIA. First, we show that SSU needs at most L rounds to stabilize where 
L is the largest clock drift between correct processors in the system. 

Theorem 6 The stabilization time of SSU is in 0{L) rounds both on chains and rings where 
L is the maximum clock drift between two correct neighbors in the initial configuration. 

Proof. Assume that there exists an execution u> such that there exists at least two distinct 
islands I\ and 1% at the end of the round L u ( where L u is the maximum clock drift between two 
correct neighbors in the initial configuration of lo). Note that L u > 2. Otherwise, any processor 
is in unison with its neighbor in the initial configuration and Lemma[]i or\Q implies I\ and I<x 
are never distinct. 

Let p and q be two neighbor processors such that p £ I\ and q <E Without loss of 

generality, we can assume that c q < c p in the initial configuration of lo. By construction, we 
have c p — c q < L u . 

While I\ and I2 are distinct, according to the proof of Lemma\M orG3 the following property 
holds: c q < c p . 

In the case where the system is a chain, note that p and q are not end processors. Otherwise, 
p and q are in unison at the end of the first round since the end processor synchronizes its clock 
with the one of its neighbor at its first activation and this contradicts the construction of lo and 
the fact that > 2. 

Now, we can observe that any activation of p by a middle processor operation or synchro- 
nization rule can only decrease the clock value of p by at least one. 

Following the definition of asynchronous round, there is at least one activation of p during 
each round of lo. Then, we can conclude that, at the end of the round i (1 < i < L^), we have: 

Cp Cq ^ Ltd 1. 

We can deduce that p and q are necessarily in unison at the end of the round L w — 1 which 
contradicts the construction of lo. Then, the stabilization time of SSU is in 0{L) rounds both 
on chains and rings. Hence the result. □ 

Lower bound on chains. Then, we show that any (1,0)- strictly- stabilizing deterministic 
minimal asynchronous unison on a chain needs at least L rounds to stabilize where L is the 
largest clock drift between correct processors in the system. 

In the following lemmas, A denotes any (1,0) -strictly- stabilizing deterministic minimal asyn- 
chronous unison on a chain under a central strongly fair scheduler. 

Lemma 7 When a middle processor is in unison with only one of its neighbors, any enabled 
rule of A for this processor maintains this unison. 

Proof. Assume that there exists a set of clock values {a,b,c] (with \a — b\ < 1 and \b — c\ >2) 
such that a middle processor p is enabled by a rule R of A when c p = b and neighbors clock are 
respectively a and c and that R modifies c p into a value b' (with \a — b'\ > 2). 

Then, consider the following initial configuration: V = {l,p, r}, E = {{l,p}, {p, r}}, r is 
Byzantine and ci = a, c p = b, c r = c (see Figure^). We can observe that this configuration 
satisfies INV . By construction, p is enabled by R in this configuration (recall that A is minimal 
and deterministic). If the scheduler chooses p, then we obtain a configuration which does not 
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Figure 7: Configuration used in proof of Lemma [7] 

a b c c - 1 



Figure 8: Configuration used in proof of Lemma [8] 

satisfy INV. Hence, A does not respect the closure of the safety property of asynchronous 
unison. This is contradictory with its construction. □ 

Lemma 8 When a middle processor p is in unison with only one of its neighbors (denote by 
q the other neighbor of p), the following property holds: in any execution starting from this 
configuration in which q remains not synchronized with p, p moves its clock closer to the clock 
of q in a finite time. 

Proof. Assume that there exists a set of clock values {a,b,c} (with \a — b\ < 1 and \b — c\ > 2) 
such that there exists an execution lo starting from a configuration ( in which c p — b and neighbors 
clock are respectively a and c - denote by q the processor such that c q = c) in which q remains 
not synchronized with p and in which p never moves its clock closer to the clock of q. 

We deal with the case where b > c (the case where b < c is similar). Then, consider the 
following initial configuration sq: V = {l,p, q, r}, E = {{l,p}, {p, q}, {q, r}}, r is Byzantine and 
ci = a, c p = b, Cq = c, Cr = c — 1 (see Figure^). If r acts as a crashed processor, its clock 
value remains constant. Then, by Lemma\% we have c q <G {c,c — l,c — 2} in any state of any 
execution starting from sq. Hence, p can not distinguish this execution from uj (recall that A is 
minimal and deterministic). Consequently, there exists an execution starting from Sq such that 
c p >b and c q < c in any state. This contradicts the convergence property of A. □ 

Lemma 9 When an end processor is in unison with its neighbor, there exists an enabled rule 
of A for this processor. 

Proof. Assume that there exists a set of clock values {a,b} (with \a — b\ < I) such that an 
end processor p is not enabled by any rule of A when c p = a and its neighbor clock is b. 

Then, consider the following initial configuration: V = {p, r}, E = {{p, r}}, r is Byzantine 
and c p = a, c r = 6 (see Figure^). By construction, p is not enabled in this configuration (recall 
that A is minimal and deterministic). Assume now that r acts as a crashed processor. Then, 
we can observe that p is never enabled in this execution, that contradicts the liveness property 
of (1,0) -strictly- stabilizing asynchronous unison. □ 




a b 



Figure 9: Configuration used in proof of Lemma [9] 
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Figure 10: Configurations used in proof of Theorem [7] 



If we consider the execution described in the proof of lemma GJ we can observe that p is 
infinitely often activated (by fairness assumption) and that its clock is always in the set {b — 
1, 6, b+ 1} (by closure of A). Since A is minimal and deterministic, we can deduce that values of 
c p over this execution follow a given cycle. We characterize now A by this cycle. More formally, 
we say that: 

1. A is of type 1 if the cycle is b, b + 1, b, b + 1, 

2. A is of type 2 if the cycle is b,b — 1,6,6— 1 , . . . . 

3. A is of type 3 if the cycle is b,b + 1,6 — 1,6, 6 + 1,6 — 1,.. .. 

Notice that the protocol SSU is of type 1. 

Theorem 7 The stabilization time of any (1,0) -strictly- stabilizing deterministic minimal asyn- 
chronous unison on chains is in fl(L) where L is the maximum clock drift between two correct 
neighbors in the initial configuration. 

Proof. Assume that A is a (1,0) -strictly- stabilizing deterministic minimal asynchronous 
unison on chains. 

We provide the proof of this theorem in the case where A is of type 1 since other cases are 
similar. 

Let a,t be natural numbers. Consider the following initial configuration s° : V = {p,q,r,s}, 
E = {{p, q}, {q, r}, {r, s}}, s is Byzantine and c p = a + 2t, c q = a + It, c r = a, c s = a (see 
Fiaure \Tfy) . Hence, we have a maximal clock drift of L = 2t. 

Note that p is enabled to take the value a + It + 1 in s° (by Lemma[Q and the fact that A is 
minimal and of type 1). By Lemmas [HQ and the fact that A is minimal, we can deduce that 
q is enabled to take the value a + It — 1 only when c p = a + It. Similar reasoning holds for r 
which is enabled to take the value a+l when c s = a. 

Then, the following execution of A is possible: p is activated and takes value a + It + 1, p 
is activated and takes value a + 2t (p is enabled by Lemma\M and the new value is determined 
by the type of A), q is activated and takes value a + 2t — 1, r is activated and takes value a + l 
and s takes the value a + l (recall that s is byzantine) . We obtain the configuration s 1 depicted 
in Figure [751 

We can observe that the first round R\ of our execution ends in s 1 and that we have now a 
maximal clock drift of a + 2(t — 1). 

By the same reasoning, we can construct a sequence oft—1 rounds Ri = s t ~ 1 . . . s l (2 < i < t) 
as follows: p is activated and takes value a + 2t + 1 — i, q is activated and takes value a + 2t — i, 
r is activated and takes value a + i and s takes the value i. We obtain the configuration s l at 
the end of round Ri (2 < i < t) depicted in Figure [751 At the end of round Ri (2 < i < t), we 
have a maximal clock drift of 2(t — i). 
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Figure 11: Configurations used in proof of Theorem [8] 



We can conclude that, at the end of the round Rt-i, the maximal clock drift is 2 whereas, at 
the end of the round Rt, the maximal clock drift is 1 (since we have c p — c q = \ and c q — c r = ). 
By construction oft, we can conclude that A needs Cl(L) rounds to stabilize. □ 

Lower bound on rings. Then, we show that any (l,0)-strictly-stabilizing deterministic 
minimal asynchronous unison on a chain needs at least L rounds to stabilize where L is the 
largest clock drift between correct processors in the system. 

In the following lemmas, A denotes any {l,0)-strictly-stabilizing deterministic minimal asyn- 
chronous unison on a ring under a central strongly fair scheduler. 

Lemma 10 When a processor is in unison with only one of its neighbors, any enabled rule of 
A for this processor maintains this unison. 

Proof. The proof of Lemma [3 directly applies here if we consider the following system: 

V = {p,q,r} and E = {{p, q}, {q, r}, {r,p}}. □ 

Lemma 11 When a processor p is in unison with only one of its neighbors (denote by q the other 
neighbor ofp), the following property holds: in any execution starting from this configuration in 
which q remains not synchronized with p, p moves its clock closer to the clock of q in a finite 
time. 

Proof. The proof of Lemma [S| directly applies here if we consider the following system: 

V = {P, Q, r, s} and E = {{p, q}, {q, r}, {r, s}, {s,p}}. □ 

Theorem 8 The stabilization time of any (1,0) -strictly- stabilizing deterministic minimal asyn- 
chronous unison on rings is in Ct(L) where L is the maximum clock drift between two correct 
neighbors in the initial configuration. 

Proof. Assume that A is a (1,0) -strictly- stabilizing deterministic minimal asynchronous 
unison on rings. 

Let a, t be natural numbers. Consider the following initial configuration s° : V = {p, q, r, s, t}, 
E = {{p, q}, {q, r}, {r, s}, {s, t}, {t,p}}, r is Byzantine and c p — c t = a + 2f , c q = c s = c r = a 
(see Fiaure [TI\) . Hence, we have a maximal clock drift of L — 2t. 

Note that p and t are enabled to take the value a + 2t — 1 in s° (by Lemmas\TI\ and Q71 and 
the fact that A is minimal). By similar reasoning, we can deduce that q and s are enabled to take 
the value a + l. 

Then, the following execution of A is possible: p is activated and takes value a + 2t — 1, t is 
activated and takes value a + 2t— 1, q is activated and takes value a + l, s is activated and takes 
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value a + 1 and s takes the value a + 1 (recall that s is byzantine) . We obtain the configuration 
s depicted in Figure [171 

We can observe that the first round R\ of our execution ends in s 1 and that we have now a 
maximal clock drift of a + 2(t — 1). 

By the same reasoning, we can construct a sequence oft—\ rounds Ri = s J_1 . . . s 1 (2 < i < t) 
as follows: p is activated and takes value a + 2t — i, t is activated and takes value a + 2t — i, q is 
activated and takes value a + i, s is activated and takes value a + i and s takes the value a + i 
(recall that s is byzantine). We obtain the configuration s l at the end of round Ri (2 < i < t) 
depicted in Figure [171 At the end of round Ri (2 < i < t), we have a maximal clock drift of 
2(t-i). 

We can conclude that, at the end of the round Rt-i, the maximal clock drift is 2 whereas, 
at the end of the round Rt, the maximal clock drift is 0. By construction of t, we can conclude 
that A needs Q,(L) rounds to stabilize. □ 

Conclusion. Let us review our conclusions so far. Theorem [21 proves that the stabiliza- 
tion complexity of SSU is in O(L) rounds while Theorems^ and\E show that any (1, (^-strict- 
stabilizing algorithm requires at least that many rounds to stabilize. The following theorem 
summarizes these results. 

Theorem 9 The stabilization complexity of SSU is optimal. It stabilizes in & {L) asynchronous 
rounds where L is the largest drift between correct processors. 

5 Conclusion 

In this paper we explored joint tolerance to Byzantine and systemic transient faults for the 
asynchronous unison problem in shared memory. The presence of algorithms that tolerate both 
fault classes poses the question for further study: what are the properties of such algorithms in 
more concrete execution models of finer atomicity such as shared registers or message-passing. 
Lower atomicity models tend to empower faulty processors. Indeed, in shared register model, the 
Byzantine processor on a ring may report differing clock values to its right and left neighbors 
complicating fault recovery. In our future work we would like to pursue this research question. 
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